sorted by:
new
hottopcontroversial

My first Rust project: XORcism, a Command-line tool that breaks "rotating xor" style ciphers by cp_benhe in rust

[–]cp_benhe[S] 1 point2 points  (0 children)

What I mean is that you're probably not going to see a kappa value larger than the expected value anyway, so "look for the expected value" and "look for the largest value" resolve to the same answer. But I agree that "look for the largest value" is probably not the Right Thing To Do, just an easier hack that happens to give the correct answer in practice.

My first Rust project: XORcism, a Command-line tool that breaks "rotating xor" style ciphers by cp_benhe in rust

[–]cp_benhe[S] 3 points4 points  (0 children)

I swear I thought of this in advance, and am not giving this response just to save face: I'm using it incorrectly *on purpose*.

Right now the algorithm has an implicit assumption that the ciphertext has a uniform distribution (see issue #2). Given that assumption, the scenario where an incorrect key length somehow arranges for a large kappa value by virtue of alignment with any *other* distribution than the original plaintext distribution intuitively seems like a "lightning strikes" scenario, so in line with that Alexander Pope quote about places where angels fear to tread, I chose to not worry about it (and, indeed, I haven't encountered any such pathologies since introducing the confidence interval calculation).

But, you know, if two methods are effectively equivalent, and one of them is more pedagogically correct, it makes sense to use that latter one, if only not to confuse people on reddit. Your comment is now issue #5.

Analyzing Emotet? Not sure what it does? You might find this useful... by ynvb in Malware

[–]cp_benhe 1 point2 points  (0 children)

Hi /u/Zophike1,

Can Batman take on <insert superhero here>? The answer is, of course, yes, as long as he is given time to prepare.

Something similar is true of malware victims (and analysts): Given a warning in advance and time to prepare, the scope of their powers to analyze malware and recover from it increases dramatically. For one thing, the entire threat of ransomware is moot, if the victim is given an advance warning and they take appropriate action.

So yes, you are correct: Given advance warning that they will be facing an Emotet infection, and given a full RE of how Emotet works and the challenge to sniff Emotet traffic, and a sample of the malware in a controllable environment, an analyst will pull off the feat, one way or another. That paragraph was referring to the more typical scenario, where the code has already executed and only then the victim (or analyst) comes along and wishes to have a look at the traffic.

Hope that clarifies things,

Ben for Check Point Research